Mobile apps have been and continue to be at the forefront of companies’ strategies to expand their brand and appeal to new customers. With every company creating a mobile app for their customers, this leads to targeting by bad actors. Native mobile apps are vulnerable to many of the same things that a website is forced to deal with, but some attack vectors are unique given a native app’s integrations into the OS and the different languages they are written in. Android and Apple have built in unique security controls that app developers can use to protect against unique threats that mobile apps face.
Unique Attack Vectors
Application Updates: Publishing updates to a web or mobile application is very important to fix security issues in your own code and the update dependent libraries and integrations which may also have vulnerabilities. You cannot ever force a user to update a mobile app. If they do not have auto updates enabled, then it is up to the user to manually update to a new version. The best an app can do is to prompt the customer to update when the app is opened. Having this functionality in your first release of the app can be very important.
Filesystem: Mobile apps have access to isolated and shared file storage within the device. Certain storage locations are normally only accessible to the application at runtime but a bad actor with physical access to a device running your mobile app can give the bad actor access to the app files. This can lead to the access to sensitive file or the ability to modify sensitive files. Weak encryption can also be thwarted using a jailbroken or rooted phone.
Poor Input Validation: Bad actors can pass bad inputs which get consumed by your code and passed to other parts of the OS or to integrations. This can lead to buffer overflows and memory leaks if protections are not put in place.
Counterfeit Applications: The Apple App Store and Google Play Store have both been the target of counterfeit applications that steal customer data and install malware. Apps can be created by the bad actors or code can be injected into legitimate applications without the original app developers knowing.
Unique Protections and Security Controls
Network Controls and Certificate Pinning: Android and iOS have network whitelists and certificate controls that each application can set. Apple’s feature is called App Transport Security (ATS) while Android provides its Network Security Configuration. Both features allow whitelisting domains and restricting or allowing connections over HTTP/HTTPS. They also both allow control over the types of certificates that the app will connect with. Finally, certificate pinning can be configured to lockdown which certificates an app will accept connections to.
App Integrity Verification: DeviceCheck on iOS and Play Integrity API on Android can be used to confirm the validity of the application making requests to your backend API and the environment the application is running in. Special keys are provided and sent in requests to your backend API which can then be validated to confirm that the app has not been tampered with, is not running on a fake device, and has not been corrupted in some other way.
Code Obfuscation: Obfuscating code makes it more difficult for bad actors to decompile the application files and read through the code. 3rd party tools are available for both Android and iOS and Android also has built in obfuscation tools. Android’s new R8 compiler has the ability to obfuscate code and has recently replaced the previously recommended 3rd party utility called ProGuard.
Encryption: Android’s KeyStore and iOS’ Keychain can be used by applications to encrypt and store sensitive data on a device. Android’s KeyStore is protected by the secure TEE hardware module while iOS’ Keychain is protected by similar secure hardware called Secure Enclave. These modules ensure the key is not accessible even at runtime when the encrypted information is being accessed and used. This prevents access to the keys even if the OS is compromised.
App Isolation/Sandboxing: Applications are fully isolated from each other. Each app has its own file system that is only accessible to that application. Both platforms have ways for apps to share files and allow the user to restrict access to files the app can access.
Staying on top of these security features is a full-time job when developing mobile applications. Both Android and Apple continuously release new security features and add new restrictions that eventually must be supported before new versions of your application can be release on the app stores. All this work is absolutely necessary given the complexity involved with keeping customer data and devices secure against ever evolving threats.